Naavi.org

The war on Bitcoin… Should it be legalized? Banned? or left to find its own fate in the chaotic world of unregulated and anonymous Crypto world has now reached the door of the Supreme Court of India.

A Public Interest Litigation has been filed  (Writ Petition (Civil) no. 406 of 2017) under Article 32 of the constitution against Union of India, Ministry of Finance and Reserve Bank of India, against the use and business of  illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc.

Vijay Pal Dalmia, an Advocate along with Mr. Siddharth Dalmia, an engineer and a law student are the petitioners. 

We appreciate the action taken and ensuring that it is not only against Bitcoin but against all Alt Coins. This was extremely essential since all anonymous Crypto Currencies are fungible and alert criminals have already converted their Bitcoins into Ethereum or other coins and hence banning only Bitcoin and leaving the rest would not be of help.

The petition was heard on 14th July by a Bench of Hon’ble Chief Justice of India J.S. Khehar and Hon’ble Mr. Justice D. Y. Chandrachud,  which gave four weeks to the Reserve Bank of India to examine all security related issues about virtual currency, including BitCoin, and respond to the Petitioners.

RBI was now having three options before it namely “Ban”, Regulate” or “continue to observe” (or procrastinate)

The petition  has now removed one  of these options namely “Continue to Observe”.  RBI has no option but to respond.

In the meantime, the Finance Ministry has set up a task force in which RBI is also represented along with SBI and that is expected to give its view much before the 4 week dead line of SC and hence RBI may simply forward a copy of the report of the committee and not take any other decision of its own.

So, Supreme Court should have actually issued a notice to the “Bitcoin Task force” (Which is as much anonymous as the Bitcoin as regards its constitution) to respond directly to the Supreme Court.

By asking RBI to respond directly to the petitioner, it appears that Supreme Court is trying to avoid taking a view unless it is forced.

While it is good that Bitcoin has come under the radar of the Supreme Court, the resolution of the Court is not satisfactory. Perhaps the Court is yet to understand the full implications of legalization of Bitcoins and its impact on the society.

When Shreya Singhal brought a public interest litigation on scrapping of Section 66A of ITA 2008, the then CJI commented… “We were waiting for some body to file the petition”….. It was no surprise that the Court in its final order in this case eloquently upholded the “Freedom of Expression” as a constitutional right and went over board in interpreting Section 66A in a manner that suited its pre-disposition resulting in the scrapping of Section 66A of ITA 2008.

However, in this matter of Bitcoin, the Honurable Supreme Court has failed to recognize the impact on Terrorist Finance and Black Money Creation if Bitcoin is allowed to remain in the environment. This is regrettable.

We seriously believe that the Bitcoin community is trying to corrupt all decision makers to provide a favourable decision to legalize Bitcoins which is a darling of every corrupt bureaucrat or business men, politician, or even a corrupt member of the Judiciary.

Hence the longer the decision lingers on there is a greater probability that the decision makers may be corrupted. I will not be surprised if some of them might have already found in their mail box, mails indicating that a certain number of bitcoins are credited to their bitcoin wallet. A decision should therefore be arrived at soon.

It is now for Mr Narendra Modi the saviour of India to take note that if Bitcoin is allowed to be legalized, then all his effort on Demonetization would go to dogs. Wish some body close to him brings this to his personal attention without getting it filtered out so that a proper decision can be taken by the Task force. 

The proper decision means “Banning all holdings and activities surrounding Bitcoin and every other privately managed Crypto Coin” and nothing short of it.

If the RBI’s reply is not satisfactory or the Task force comes out with a contrarian decision, I wish the petitioners of this PIL approach the Supreme Court once again for a decision to save the country.

Alternatively, the Bench should modify the order and ask the Task force of the Finance Ministry to respond directly to the Supreme Court within the next 15 days so that the hearing may continue.

Naavi

I am reproducing the Press Release given out by Mr Vijay Dalmia, the advocate for information.

This Writ Petition was in Public Interest under Article 32 of the Constitution of India for issuance of Writ of Mandamus or any other appropriate Writ, order or direction directing the Respondents to take emergency and urgent  steps for restraining the sale and purchase of illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc., which are being traded and invested-in openly and extensively within the knowledge and domain of the Respondents anonymously over internet and otherwise for a host of anti-national, illegal and nefarious activities, such as funding of terrorism and insurgency, illicit trade of arms and drugs, recruitment of terrorists, bribery, corruption, money laundering, tax evasion, generation of black money, payment of ransom, human trafficking, transfer of money through hawala, hawala trade, illicit investments, avoidance of banking channels and surveillance of funds, online gambling resulting in negative impact on Indian currency, inflation, loss of control of Government on financial discipline and illegal diversion of money, and all this happening without any border restrictions or geographical constraints by avoiding and violating laws, resulting in danger to the integrity and sovereignty of India causing harm and danger to the peace and tranquility of the society,  the security of the state and the residents of India.

This writ was an outcome of a cyber attack on 13th May, 2017 by Wanna Cry ransomware. The WANNA CRY ransomware opened the eyes to the truth behind the cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc. to the world including India. It has been reported widely in media that Lakhs of people got their data encrypted and their system was locked in India and over other 104 countries. Since 13th of May, the entire world is concerned about the ransomware. This large-scale worldwide cyber-attack was launched affecting computer networks in many countries across the globe, including India. The hackers demanded payments of $300 to $600 (roughly Rs. 19,000 and Rs. 38,000) using Bitcoins as a ransom for unlocking computers and affected devices. The magnitude of the attack is yet to be ascertained by the Indian Government. The Reserve Bank of India had to notify all banks to operate their ATMs only after updating software systems to avoid being infected by ransomware. It has been reported in media that one of the biggest impacts so far has been on computers used by the Andhra Pradesh police where 18 units across five districts, including Visakhapatnam and Srikakulam, had been under attack. There were reports that the virus also infected computers in the offices of the West Bengal State Electricity Distribution Company in three blocks,Belda, Data and Narayangarh in West Midnapore district. The attack has crippled lakhs of computer devices and networks computers across the globe, and struck banks, hospitals, and government agencies in several countries. In India, many of these hackings go unreported as companies do not want to ‘damage’ their reputation and ransom money may be paid through Bitcoins as anonymity is maintained. Ransomware is a form of malware that encrypts a computer’s files and displays a message to the user, saying it will decrypt the files for payment, typically via Bitcoin. WannaCry is a program targeting Microsoft’s Windows operating systems where hackers take control of a computer and lock the data until the victim make a payment in return.

That some of the laws which are being violated because of open dealings in illegal Cryptocurrencies like Bitcoins, are as under:

• The Constitution of India, 1950;
• Reserve Bank of India Act, 1934,
• The Foreign Exchange Management Act, 1999 (“FEMA”);
• The Reserve Bank of India Act, 1934 (“RBI Act”);
• The Coinage Act, 1906 (“Coinage Act”),
• The Securities Contracts (Regulation) Act, 1956 (“SCRA”);
• The Sale of Goods Act, 1930 (“Sale of Goods Act”);
• The Payment and Settlement Systems Act, 2007 (“Payment Act”).
• Indian Contract Act, 1872 (“Contract Act”).

In the writ petition following prayers were made:

1. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to declare cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc., as  illegal;
2. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to take immediate steps in the present situation of emergency, for restraining and banning the sale and purchase of illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc.;
3. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to ascertain the actual figure of  illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc., that has been sold and purchased in India, and fix accountablity and responsibility for the same;
4. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to investigate and prosecute all those who have indulged in the sale and purchase of illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc., that has been sold and purchased in India, and fix accountablity and responsibility for the same;
5. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to ban access of all website, web links and mobile applications, which are being used to buy and sellillegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc. and all other website and mobile applications which are accepting bitcoin as a payment option;
6. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to give advertisements and wide publicity through all media, educating public about the illegalities involved with the sale, purchase and dealing of illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc.;
7. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents to implement existing laws, rules and regulations in true letter and spirit for prohibiting sale, purchase and dealing of illegal cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs), such as, Bitcoins, litecoins, bbqcoins, dogecoins etc.,
8. Issue a Writ of Mandamus or any other appropriate Writ, order or direction under Article 32 of the Constitution of India, directing the Respondents, in case there is any deficiencies in existing laws, rules and regulations,  to enact appropriate law and frame rules and regulations to regulate sale, purchase, dealing, holding and reporting of cryptocurrencies or Decentralised Digital Currency or “Virtual Currency” (VCs).

The other relevant details of the PIL are as under:

Date of Hearing: 14th July, 2017

VIJAY PAL DALMIA vs. UNION OF INDIA THROUGH CABINET SECRETARY

Writ Petition (Civil) no. 406 of 2017 (PIL)
BEFORE SUPREME COURT OF INDIA
CHIEF JUSTICE’S COURT
HON’BLE THE CHIEF JUSTICE Mr. J.S. Kehar
HON’BLE DR. JUSTICE D.Y. CHANDRACHUD

Now the issue has been referred to the Reserve Bank of India, to take a call on the subject matter within 4 weeks of the receipt of the copy of the writ along with the representation of the undersigned.

The issue of the Crypto Currencies/ Virtual currencies like Bit coins is of national importance, and needs a debate in media as well as a firm stand by the Government of India.

Best Regards,

Vijay Pal Dalmia, Advocate

What a ridiculous question to ask?… any one would say. But this thought came to me after reading the comment supposedly made by a Finance Ministry Official (Unknown) quoted by coindesk.com in its article available here.

(If this quote is a result of what is published in Hindu, then all my remarks on Coindesk.com will apply also to Hindu)

The article states that a Finance Ministry Official has made a statement that Bitcon trading will be taxed. In the recent days the price has come down from $3000 to $2000. Hence there is a huge loss and some of it must have been suffered by those who acquired it in the last few months when the Indian Government started considering whether Bitcoin should be legalized or not. This article is therefore possibly is a “Pump and Dump” effort to jack up the price in India.

The exact quote is intriguing and states as under.

“Banning will give a clear message that all related activities are illegal and will disincentivize those interested in taking speculative risks, but it was pointed out it will impede tax collection on gains made in such activities and that regulating the currency instead would signal a boost to blockchain technology, encourage the development of a supervision ecosystem (that tracks legal activities and may also assist in tracking illegal activities) and promote a formal tax base.”

My first thought is that this is fake and no official will be naive to consider that “impeding tax collection” could be a reason not to ban Bitcoin. I have through a comment posted on the site asked for the name of the official and if I donot get the name, it would prima facie confirm that the article could be a fraudulent plant to influence the view of the finance ministry committee which is expected to come up with its report and suggestions.

I donot think that India under Mr Modi has gone that bankrupt as to consider Bitcoin as a source of revenue for the Government without which the progress would be impeded. If so, it would be even more profitable to formalize a tax base for drugs and arms as that would also boost the revenue collection and give an opportunity to track the sales. The only catch is that most such trades including Bitcoin happens through anonymous trades in foreign based exchanges and there is no way Indian authorities would be able to track it.

If Bitcoin is declared as a “Banned Substance” and a “Suspected Currency of Choice for Money Laundering and Terrorism”, by law, then any use of Bitcoin or trading of Bitcoin can be declared as “Assistance to Money Laundering” and “Assistance to Terrorism” and tracking could be possible by invoking international treaties.

I request coindesk.com to stop the posting of fake quotes as it would be defamatory to Mr Arun Jaitely and his subordinates. People who have tried to defame Arun Jaitely know what would be the consequence!.

I also request our Finance Minister or Finance Secretary to come out with a proper denial of this quote as otherwise, Mr Subramanya Swamy may start preparing another petition of his own on how to unravel whether this quote is true or fake and to whom it should be attributed.

The Supreme Court is already seized of the matter and even  the Court may issue a notice to Coindesk.com to reveal the name of the official quoted in the report. If Coindesk.com removes the article, ( I will have a certified copy under Section 65B of IEA) then additional charge of “Tampering with Evidence” can be filed under Section 65 of ITA 2000/8.

There is only one option for the Government…To Ban (and announce it without any delay) Bitcoin and all Crypto Currencies unless the Reserve Bank of India floats one.

Even such a RBI sponsored Crypto Currency (BitRupee or whatever it may be called) would be acceptable only if every mining and every transaction is linked with an identity code and RBI can trace it to an individual whose KYC has been properly done. I will separately provide guidance if required on how the Government can boost its revenue in such a project.

For example, Only Digital Signature or E Sign certificate issued in India by a licensed Certifying Authority should be acceptable for authentication of transaction and wallet addresses). Even if mining is allowed to others it could be through a  licensing system with the Miner paying a proper tax. Essentially, there should be no anonymity for the transaction.

Any other suggestion even if made would be a fraud on Indian economy and any suggestion that such a decision will in fact be made is a fraud to mislead innocent investors.

Naavi

(P.S: This is a reflection from the discussions had at the conclave in Delhi on July 14/15, 2017 on “Securing Cyber Space”)

The Conclave hosted a discussion on Legal Issues on Data Localization, Jurisdiction and Sharing in which I made out certain points which are reflected in this article.

The principle of Data Localization is “Data” should be stored in the country of its origin, particularly when the data relates to the personal information of its citizens. It is a demand of the law enforcement for a long time even in India. Change in law is also being demanded in this context.

In practice, Data Localization translates into holding the data in a data center which is physically located within the boundaries of a given country.

Jurisdiction is a growing concern particularly with the development of Cloud Computing and is related to the demand for Data Localization. Presently most Cyber Laws provide extra territorial jurisdiction in law though at the implementation level, there is a problem of exercising jurisdiction in the absence of treaties.

Data Sharing is related both to Data Localization as well as Data Jurisdiction but it is more a factor of “Attitude” and “Business Concerns”. If industry wants to share data on incidents either among themselves or with an industry specific CERT, there is no law to prevent it since there is always the possibility of de-identification of personal data. Businesses are more concerned about reputation loss and avoid data sharing and this attitude needs to change.

Certain countries have started legislating on Data localization. Initially small countries like Nigeria and Vietnam started the trend perhaps to preserve their authority being eroded. Russia in 2015 mandated that “data operators that collect personal data about Russian citizens record, systematize, accumulate, store, amend, update and retrieve data using databases physically located in Russia”.

China has announced a “Cyber Security Law” which mandates that “Critical Information Infrastructure Operators” need to store certain personal and business information within China.

Some countries have tried to achieve data localization objectives by placing legal restrictions on data being stored outside their jurisdiction by imposing heavy penalties. GDPR is one such example. Even HIPAA of US falls into this category.

India has already been trying to implement the Chinese model where by Government sector data is to be stored within India through operational guidelines. A law can however be introduced either through the amendments now under consideration for ITA 2008 or through the proposed Data Protection Act being designed.

In taking a view on the required legislation in this regard, we need be clear on why do we like or need Data Localization.

For example, we need to ask Is Data Localisation required

a) As a strategy to increase data storage business in the country?

b) As a requirement to protect the privacy of the data subject?

c) As a means to empower the law enforcement to investigate crimes?

d) As a provision to enable snooping by Government?

If we need Data localization to protect the privacy of a data subject, we need to also pass necessary laws of privacy protection and without such a law, the data localization demand appears less convincing.

Law enforcement or the Government requires only “Access to Data” for their investigation and it is immaterial whether the data is in India or abroad.

There are also enough provisions already in the law to demand production of data for investigation or even snooping (through ISPs) under ITA 2000/8 and quite often the problem is not with the law or the powers of the law enforcement but the willingness of data controllers to abide by the demand.

Under Section 69, 69A, 69B or 70B, authorities in India may demand entities who are collecting and storing data from India  to provide access including decryption failing which the entity can be charged for non-cooperation with criminal penalty for the executives of the Company. If the data controllers are not understanding their liability or the authorities not enforcing their powers, then we need to see how do we improve the enforce ability of the law.

Data by its very nature needs to be copied for disaster recovery purpose and also need to be encrypted for security purpose. We therefore cannot legislate that data cannot be copied or encrypted.

Disaster Recovery against “Country Risk” requires storage of data in multiple countries. Hence when we talk of “Data Localization”, we may only be able to insist that “A copy of the Data shall be stored in the local server” which will serve the policing requirement. This is different from the provision of “Data Shall not be moved out of the borders” which is required for Privacy Protection requirements.

We know that Data irrespective of location can be accessed and manipulated from anywhere. Hence data stored here in India may be made inaccessible by encryption or even deleted so that law enforcement is denied access. At the same time even if data is stored elsewhere in the cloud, it can be accessed from India if we have the credentials.

Hence the requirement being pursued that data should be stored in the servers located in India is not necessarily a critical requirement. What we need is “Data Access” which is a function of the willingness to the data controller to cooperate which is addressed in the penal provisions attached to ITA 2008 for not cooperating with CERT IN or Secretaries of Home or IT in different contexts.

One of the other speakers pointed out that even for treaty purposes, a provision under CrPc such as Sec 91 notice can be held equivalent to a judicial order to claim that the respondent needs to comply under the treaty. Under this principle, the need for a new law for cases where the existing law with appropriate notifications may suffice is not supported.

Even if a law is attempted, it may have to restrict itself to “Data of Indian Subjects” and cannot extend to data of foreign subjects processed in India.

In this context we may have to define our Data Protection law with the distinction as to the nationality of the data subject which should become part of the data classification procedure . There could be separate regulations for  Personal and Sensitive personal data  of Indian subject, Data of non personal kind from Indian corporate, personal Data of data subjects of different countries of origin, non personal data of foreign data subjects etc.

On the contrary if we fully utilize the powers under the ITA 2008, we can achieve all the law enforcement objectives. In case of resistance by data controllers,we have no option to exercise our penal provisions to ensure compliance.

We therefore can think of shedding our fixation on “Server Presence in India” and focus more on “Ensuring Compliance of Data Controllers to Indian law enforcement requirement”.

The concept of “Data Access” being more important than “Data localization” is already enshrined in our law through Section 65B of Indian Evidence Act which recognizes that “Data as Viewed on a Computer can be admissible in a Court of law, if it is produced along with some relevant certificates” without the “Data Container” (The hard disk in which data resides) is brought into the custody of the Court.

We need to appreciate that Data is like Spectrum. It can be experienced but not held in hand. The binary data gets processed in an application and operating system and gets rendered as an text or sound or an image visible or audible by a human being. This effect of the data is what causes legal issues and “Access” is sufficient to provide judicial validity to data wherever it resides as long as it can be accessed from India. If people donot cooperate in allowing such access, they will not do so even if we seize the server and bring it into the Court.

The objective of Data Localization, Data Jurisdiction and Data Sharing therefore boils down to

a) A permission to access data when required

b) Avoid any body else from preventing such access

ITA 2008 provides quasi judicial powers to the Director General CERT-In which extends not only to the Government sector but also to the Private Sector. He has necessary powers to issue notifications that need to be complied with including mandatory reporting of incidents. If these powers are properly exercised, the need for a new Cyber Security Law for Data Localization, Data Jurisdiction and Data Sharing may not arise. Any such new law will only increase the confusion with overlapping provisions in multiple laws.

On the other hand, if we desire to introduce Data Localization for the purpose of increasing Data Storage activity in India, we can do so not only for the storage of personal data of Indian data subjects, but also for the global citizens by implementing strategic business oriented decisions including some legal fine tuning.

For this purpose we need to allow setting up of defined  “Data Processing Zones” (One the lines of SEZs) where the processing is made immune by law to intervention of Indian laws. Such Data islands can be used to process data of foreign subjects as per laws of that country. If the services can be otherwise cost effective, there is no reason why data processors abroad may not think of using Indian data centers for processing data of EU or US data subjects subject to laws of their respective countries.

Summary of Action Points

1. Law already recognizes that Data is different from the Data Container and while Data Containers can be placed within India, data inside is controlled on the basis of logical access  which may be exercised from within the country or outside. Hence Data Localization as a concept of data server being located in India is not a critical requirement. Enforcing Access to data is more critical.
2. Law can define classification of data  based on the citizenship of the data subject in addition to the sensitivity parameters. Indian law may be able to regulate the law of Indian data subjects irrespective of location of the server.
3. Law may liberate the information of foreign subjects processed in India from Indian regulation by creating special Data processing Zones. This will promote Indian and foreign companies to process the data of subjects of their respective countries, subject the laws of their countries with immunity from laws of the Indian Government. This will provide them the confidence that Indian Government does not snoop on this data nor Indian law enforcement seizes the data or asks for access except as otherwise done through treaties. Since the data subjects are not Indian, there is nothing to lose by giving up this right. In the exceptional circumstances, the option of treaty would still be there. This will improve the prospect of “Process Data In India” as a business proposition.
4. Though a Separate Cyber Security Law is the flavour of the day with Russia, China, Singapore and Australia adopting that strategy, we donot necessarily follow the herd. To avoid proliferation of laws with overlapping provisions, India may use the existing provisions through ITA 2000/8 with minor amendments to the same act if necessary to meet the requirements of
   1. having access to data of Indian subjects irrespective of location of servers and nationality of the data controllers and
   2. to simultaneously liberate the data of non Indian subjects from Indian legal encroachment through setting up of the Special Data Zones.

Naavi

(P.S: This is in continuation of the previous article in the series of discussions held at the 2 day conclave in Delhi on 14th and 15th July 2017 titled “Securing Cyber Space” ).

While addressing the Security issues concerning the Cyber Space, we often come across a debate on infringement of Privacy Rights, Freedom of Speech Rights and also “Net Neutrality”. In all these issues there is a valid point of view on either side and the challenge is to find a balance in the overall context of the society.

Speaking of the “Net Neutrality” issue, we have seen in the recent past two major issues, one regarding Telcos providing access to some websites at no data cost and the second when select type of content providers were invited to host on an exclusive platform of the Telco with free access to its customers. In both cases, data was not charged to specific content usage as against the charges made on use of content outside this privileged set of content providers. It was therefore considered as a violation of the “Net Neutrality” principle and both were dropped.

If we define “Net Neutrality” as not discriminating data usage based on the content, then it may be right in saying that in both cases, certain data was charged less than certain other data and hence there was a violation of the Net Neutrality principle.

However, in my opinion, not all “Net Neutrality Violation” instances are similar and we need to address this issue after analyzing the details. For example, in one of the cases, the TELCO proposed that certain website owners may enter into a contract with the TELCO so that visitors to that website would not be charged for the data by the TELCO. Perhaps we can presume that the website would compensate the TELCO by bearing the cost. This is like “Sponsoring” the visit to the site by the website. In normal world we may have several similar instances.

What however distinguishes an ethical business arrangement of shifting the cost incidence from the consumer to the seller and an unfair practice which creates an entry barrier for one seller against another is how the choice of the privileged seller is made and what are the privileges offered and how transparent the arrangement is from the consumer’s perspective.

For example, if the TELCO formulates a policy of who would be accepted on its privileged platform and also discloses that it has a commercial benefit by way of compensation of the cost from the seller’s side and leaves the decision to visit to the consumer, and if the policy of chosing the privileged seller is non discriminatory, then the arrangement may not be completely unfair.

If however, the TELCO makes it difficult for the users to visit the sites of the competitors of the privileged lot, by either degrading the access speed or otherwise,  then there would be an issue.

In the TV content space, there is already an accepted practice of “Ad Free” and “Ad Supported” broadcasts and if this service is acceptable, there could be an argument that the TELCOs should have a reasonable freedom in designing their service packages without the Net Neutrality debate coming into picture.

In fact an Ad supported content on the web consumes more data and therefore more cost compared to a non ad supported data and if Net Neutrality has to be observed strictly, there would be difficulty in supporting advertisements on the web, particularly those which completely block the content view for some time or those which play videos in the background consuming bandwidth without the consent of the viewer.

In view of the several interconnected issues the “Net Neutrality” objections are to be considered as case specific and they need to be evaluated and monitored on a continuous basis. One of the factors to be considered is whether there is any “Consumer Benefit” in the proposal and whether it can be preserved without discriminating against any seller.

In order to evaluate such proposals, there is a need for a suitable authority or a regulator who can intervene if any service is not fair. No doubt TRAI itself is expected to discharge this responsibility from the side of the business community who wants to use Internet for promoting their business.

When the consumers need to be represented in such decision making, the only instrument could be through a public consultation process that a regulator like TRAI could run. In certain cases, if consumer interests are affected, they are taken up under “Internet as a fundamental Right” or “Privacy and Freedom of Speech is a democratic right” etc through the Human Rights Commission or Activism.

While this mechanism of Human Rights was developed in order to protect the democratic rights of individuals and has been in most cases delivering results, in India we often find that “Human Rights” is meant mostly to protect the rights of Criminals and Terrorists rather than the innocent victims of oppression including falsely accused police officers. The reasons for this are many. Perhaps many of the Human Rights Organziations are under some kind of obligation to international outfits which have a different agenda and hence activism highlights only issues that are not in the national interest of India.

As regards the heads of the Human Rights Commission, who are normally drawn from the Judiciary, the problem is not one of intention but one of understanding the problems of the Net society in the right perspective and reacting in time and properly. We have seen that even alfter 16 years after the passage of ITA 2000, judiciary is yet to come fully appreciate the nuances of techno legal issues. It is not therefore surprising that Human Rights Commission as it exists today may not be able to empathize with the needs of the Netizens appropriately. At the same time, the International Human Rights Law and Practice has developed over a time and got itself entrenched in certain fixed notions which are not easy to change.

It is therefore one of the suggestions that I have proposed for several years that we should develop a “Netizen Rights Commission” first in the Indian Jurisdiction and try to address most of the Cyber Issues affecting the rights of the Citizens of India who also are Netizens in a particular context  through the Netizen Rights Commission.

The thought of “Netizen Rights Commission” as to the scope, constitution, jurisdiction, relation to the current judicial system etc is a matter which requires further debate and examination.

Also whether Netizen Rights Commission at State and National level can substitute the Adjudication system and Cyber Appellate tribunal (Now merged with TDSAT) is a serious legal issue which affects the provisions of the ITA 2000.

But the concept has a good potential to address many of the unresolved issues of Cyber Space and management of the Cyber Society-Meta Society conflicts. It can address Privacy Issues and Data Protection issues including protecting the Indian citizens (which may include Indian registered corporate entities) from unreasonable imposition of foreign laws such as GDPR etc.

I suppose the idea is worth exploring as a part of the larger “National Cyber Security Policy”.

Action Point Summary

The summary of  action points suggested by the undersigned during the session on Civil Society Concerns in the conclave captured in the three articles are as follows:

1. Civil Society representation in security policy formulation requires representation of a wider sections of the society from across the country and not restricted to the section active on the TV media in Delhi.
2. Whenever web based public consultations are held based on which decisions are taken, there should be transparency on what was suggested and how they were deliberated by the decision making committee which should be documented in the final report.
3. Security is of paramount necessity to protect democracy which in turn is responsible for protecting the rights such as Freedom of Expression or Privacy. Hence Internet Shutdown as part of the security requirement has to be tolerated as a necessary evil. However necessary checks and balances need to be built to prevent misuse of the Internet lock down option to preserve freedom of expression as a principle of democracy.
4. In order to prevent shutdown of critical citizen services dependent on the availability of Internet, technical possibility of segregating essential and non essential services in the data channels need to be considered.
5. A scheme akin to “Digital Ambulances” may be licensed to carry essential critical data in case where the larger Internet is shutdown for security reasons to block communication through web, e-mail or messaging services.
6. Digital Ambulance services need to be made accessible on some acceptable form of identity verification through identity gateways using digital signature or e-sign as identity options.
7. In the longer term the possibility of creating a “White Web” in contrast to the “Dark Web” and the current mixed variety could be considered. While the Darkweb is characterized by total anonymity, the White web would be characterized by Total Identity. The current web is a mixed variety where Pseudonomity works along with anonymity and identity.
8. Net Neutrality issues are to be considered on a case to case basis with Consumer interest factored in for evaluation.
9. A “Netizen Rights Commission” may be considered in the Indian context to ensure that the rights of Netizens is taken proper care of with a suitable legal base.

The above suggestions are requested to be considered for accommodation in the recommendations that the Conclave may recommend to the Government.

(P.S: These suggestions are related to one of the sessions that naavi participated on 14th July 2017.  Naavi also participated in another session on Cyber Laws on 15th July 2017 and suggestions thereon would be separately provided in the subsequent articles.)

Naavi

(P.S: This is in continuation of the previous article in the series of discussions held at the 2 day conclave in Delhi on 14th and 15th July 2017 titled “Securing Cyber Space” )

The discussion on Civil Society Consultations on Net issues had focused on two specific aspects namely “Internet Shutdowns” and “Net Neutrality” and Naavi placed his views for discussion which is also reflected in greater detail here.

The “Internet Shutdowns” have recently come under criticisms by Human Rights Activists since they have been used when the Police have observed that WhatApp messaging has been used to mobilize violent protesters and Police sought to break this communication channel as a part of their law enforcement requirement.

Internet is respected as “Free Speech” and we often demand that it should be considered as a “Fundamental Right” and should be protected as such in a democratic society. We are also aware that Internet has been used in the past for positive democratic movements including the Anna Hazare movement itself and shutdowns if it occurs are of concern to citizen activists.

However, we cannot deny that , in the recent days Internet has been misused by protestors in J&K to mobilize Stone Pelters to disturb the activity of the army against terrorists. It has also been used in other places in India including perhaps in Gujarat to mobilize crowd for anti Government protests and for spreading rumours aimed at disturbing peace in the society.

If the law enforcement has credible information that such protests or rumours can cause law and order problems, it is difficult to object to law enforcement seeking temporary shutdown of the channel of communication that can fuel trouble.

The debate of what is a reasonable case in which there could be an intervention and when it becomes trampling of democratic rights will never end and there has to be checks and balances including a judicial review if need be in case the Internet shutdown is used indiscriminately. Present law in ITA 2008 already has some provisions in this regard and if it is not being followed properly, we can examine the remedies related to proper implementation of the Section 69/69A rules.

Genuine, law respecting civil society would not mind accepting inconvenience as a part of the security of the society since we all realize that only if we survive in the society we can demand democratic rights such as free speech and privacy. These rights are therefore always subordinate to the requirements of Security.

The Civil society concern is not therefore on whether Internet shutdowns should be allowed or not but that it should not be misused. This requires a trust building between the regulatory authorities and the public and following up a “Due Process of Law” in administering the shutdowns.

Presently the checks and balances all revolve around officials in the Government and the Civil Society representatives (of the right type) are not involved either in the decision making or post decision review. This breeds distrust and a feeling that the provisions of Internet Shutdowns may be used like imposition of emergency to curb civil rights.

We need to therefore strengthen the process of post internet shutdown review and involve civil society members  in the consultation process. The concept of “Netizen’s Rights Commission” which I will elaborate more in my next article is one of the tools that we can use for this purpose.

Focusing now  more on the technical solution side, it is to be recognized that with India becoming more and more dependent on Digital transactions, Internet shutdowns could adversely affect innocent citizens who want to simply carry on their normal digital activities. In particular we would like our digital financial transactions, the health services etc not to be disturbed by the Internet shutdowns.

The challenge is to ensure that the “Critical Digital Services” continue to operate even when an Internet shutdown is warranted.

Technically this means that the communication channels like the WhatsApp like messaging services, E Mail and Web which can be used for spreading rumours and causing law and order problem should be separated from the part of the internet that deals with critical services.

Just as there is a “DarkWeb” which criminals have created as their territory, we should consider the possibility of creating a “White Web” where we can run the critical services.

If we have the segregation of “Non Essential Communication Data” from the “Essential Communication Data”, we can try to apply Internet Shutdowns selectively so that law enforcement needs are met without adverse impact on critical services.

This situation is like in the case of a Curfew being in town, critical movements of citizens can still be accomplished in Government vehicles.

We need to therefore find means of diverting the “Critical Services” to an “Emergency Network” during the time “Internet Shutdowns” are required.

This can be achieved either by creating a separate communication channel that can take the “Sensitive Critical data Traffic” like a VPN which can either be a permanent solution to many of our security issues or could be operated only during emergencies.

The access to such a network would obviously be based on “Identity clearance” through an “Identity Gateway” using digital signature or e-sign  as a base for identity. OTP is not considered a recommended identity clearance mechanism. If there are any other alternatives, it can be considered.

These services can also be licensed to the service operators themselves under a strict guideline and work like a “Digital Ambulance Service” that carries the critical data at times of Internet shutdowns.

One such “Digital Ambulance” can also be licensed to a “Media Self Regulatory Body” or even the “Supreme Court” or the “Netizen Rights Commission”  so that “Free Speech” can still reach an ombudsman who can filter them and take steps where by citizen’s democratic rights are not trampled with.

Some of these measures may come in conflict with the “Net Neutrality” debate which is discussed in the next article. But with the creation of the Netizen’s Rights Commission and that such instances of internet shutdowns are temporary and not permanent, we must be able to consider this “Digital Ambulance” concept to address the Internet Shutdown requirements.

Naavi

Yesterday, in the conclave on “Securing Cyber Space” at IIC, Delhi, experts from different NGOs spoke on the topic of Civil Society Consultations on Net issues such as net Neutrality and Internet Shutdowns before an august audience of Cyber Security professionals.

Naavi speaking on the occasion discussed the concerns of the civil society and how it needs to be addressed.

He recalled the instance when around the year 2000, Mumbai High Court listening to a public interest case on whether people should be asked to produce IDs for visiting Cyber Cafes mandated that an Internet article of Naavi was to be placed on the Government website of VSNL (at that time VSNL was the sole Internet service provider) along with the proposal of the Government and ensure that the larger public could react. This trend is what the Internet has brought to the domain of Civil Society consultations. In fact Draft E-commerce Act 1998 which was the pre-cursor to the current Information Technology Act was also perhaps the first legislatory “Bill” to be placed for public comments. Even recently we have seen that in the Bitcoin issue was discussed on the forum of MyGov.in to solicit public opinion.

RBI is also frequently placing draft regulations for public comments before they are finalized.

There is no doubt that this is the norm and in future all legislations when in draft form would be placed for public comments. It is a good practice and needs to be strengthened.

However, the consultations will have meaning only when proper representation of the “Civil Society” is allowed to contribute their views and the decision makers actually take those views into consideration.

We have some times seen that the web based collection of views is only a formality and public really donot know if the views really go into the decision making process as an input. There are also instances (eg Bitcoin consultation) that vested interests take over such consultation process and flood the forum like a Twitter troll with their views corrupting the process. In the Bitcoin issue, MCX which as an insider to the process of Bitcoin regulation was caught using the forum to express vested interests and it was left to vigilantes like the undersigned to call their unethical act.

Similarly, when RBI floated a “Limited Liability Draft Circular” on August 11, 2016 and closed the consultations on 30th August 2016, the final rule was expected soon after. But it took time upto July 6, 2017 for the draft circular to be confirmed and that too after the undersigned brought it to the attention of all concerned including our busy PM, FM and others. In this time there were many more banking frauds where the victims could not get timely reaction from the Banks. Though the final notification is well appreciated, the delay could have been avoided and indicated that there was perhaps some differences of opinion that had to be contended with.

Presently there  are many other issues such as AEPS, P2P lending, HDPSA, amendments to ITA 2008, new Data Protection Act, Cyber Insurance etc which are under different stages of development in which public consultation is called for.

If we observe how US has handled the HIPAA consultation process (Refer to the Final Omnibus Rule”) the document that was finally published discusses the various comments made and the reasons why it was considered or not considered. The process is trust building since public know why a certain rule was made.

We need to adopt such a process of “Revealing the public response” along with what were the views of the decision making committee on specific points made in the response (after filtering  troll like opinions) and why a decision was finally taken was in a particular manner should be used in all future consultations.

It is needless to say that when a more detailed consultation with physical meetings are held it is the duty of the consultative committee to ensure that the Civil society representatives they chose to consult are limited to the few vocal media facing persons located near the seat of power. There has to be consultations in other places down south also so that a wide set of view points are used before coming to the final decision.

(These are part of the discussions…will be continued)

Naavi